Cracking hashes with Python

I have a school project to do where I've to download MD5 Hashes from a particular website and write a code that will crack them. Does anyone know where I'll find out more information on how to do this? There's only 4 hashes that I need to do so it doesn't have to be a large script just needs to be able to download the hashes from the website. Can anyone help me out?

Advertisements

On Tue, Nov 26, 2013 at 10:32 AM, TheRandomPast <> wrote:
> I have a school project to do where I've to download MD5 Hashes from a particular website and write a code that will crack them. Does anyone know where I'll find out more information on how to do this? There's only 4 hashesthat I need to do so it doesn't have to be a large script just needs to beable to download the hashes from the website. Can anyone help me out?

Do you actually need to download them from that web site, or can you
simply embed them into your code? The latter would be far easier.

I'm going to assume that you don't need to do anything more
complicated than brute-force these, and I'll also assume that they're
unsalted hashes.

With a cryptographic hash function, you take text, put it into the
function, and get back a number (or a hex or binary string, which
comes to the same thing). You can't go from the number to the string;
however, you can generate a large number of strings to see if any of
them results in the same number. You can take "large number" all the
way, and generate every possible string of a certain length, or you
can go through a dictionary and generate words. Once you find
something that matches, you have a plausible guess that this is the
password.

There's a basic idea of what "cracking" a hash means. Put a bit of
code together, see how you go. If you get stuck, post your code and
how you're stuck, and we'll try to help; but we won't simply write
your code for you. (By the way, thanks for being up-front about it
being a school project. The honesty is appreciated, even though we
would almost certainly be able to tell even if you didn't. )

One last thing: Please get off Google Groups. It makes your posts look
ugly, which makes you look bad, and that's (probably!) unfair. Use a
better news client, or subscribe to the mailing list and read and post through that. There are a
number of regulars here who simply trash all Google Groups posts
unread, because they're just not worth reading - switching clients
will help you be heard, and will mean you don't annoy people with
form. Of course, if you want to annoy us with substance, that's your
God-given right.

Advertisements

On Monday, 25 November 2013 23:47:52 UTC, Chris Angelico wrote:
> On Tue, Nov 26, 2013 at 10:32 AM, TheRandomPast wrote:
>
> > I have a school project to do where I've to download MD5 Hashes from a particular website and write a code that will crack them. Does anyone know where I'll find out more information on how to do this? There's only 4 hashes that I need to do so it doesn't have to be a large script just needs to be able to download the hashes from the website. Can anyone help me out?
>
>
>
> Do you actually need to download them from that web site, or can you
>
> simply embed them into your code? The latter would be far easier.
>
>
>
> I'm going to assume that you don't need to do anything more
>
> complicated than brute-force these, and I'll also assume that they're
>
> unsalted hashes.
>
>
>
> With a cryptographic hash function, you take text, put it into the
>
> function, and get back a number (or a hex or binary string, which
>
> comes to the same thing). You can't go from the number to the string;
>
> however, you can generate a large number of strings to see if any of
>
> them results in the same number. You can take "large number" all the
>
> way, and generate every possible string of a certain length, or you
>
> can go through a dictionary and generate words. Once you find
>
> something that matches, you have a plausible guess that this is the
>
> password.
>
>
>
> There's a basic idea of what "cracking" a hash means. Put a bit of
>
> code together, see how you go. If you get stuck, post your code and
>
> how you're stuck, and we'll try to help; but we won't simply write
>
> your code for you. (By the way, thanks for being up-front about it
>
> being a school project. The honesty is appreciated, even though we
>
> would almost certainly be able to tell even if you didn't. )
>
>
>
> One last thing: Please get off Google Groups. It makes your posts look
>
> ugly, which makes you look bad, and that's (probably!) unfair. Use a
>
> better news client, or subscribe to the mailing list
>
> and read and post through that. There are a
>
> number of regulars here who simply trash all Google Groups posts
>
> unread, because they're just not worth reading - switching clients
>
> will help you be heard, and will mean you don't annoy people with
>
> form. Of course, if you want to annoy us with substance, that's your
>
> God-given right.
>
>
>
> ChrisA

Hi, thanks for replying. I don't like google groups layout either I was just unsure as to what to use. I already have some code on the go I just couldn't figure out the best way to do what I wanted to do so I thought I'd ask and see if anyone could point me in the right direction. I *have* to download them, i know how many there are because I used a text editor to find them.

On Tue, Nov 26, 2013 at 11:01 AM, TheRandomPast <> wrote:
> Hi, thanks for replying. I don't like google groups layout either I was just unsure as to what to use. I already have some code on the go I just couldn't figure out the best way to do what I wanted to do so I thought I'd ask and see if anyone could point me in the right direction. I *have* to download them, i know how many there are because I used a text editor to find them.
>
> What client do you suggest I use instead of google groups?

On Mon, 25 Nov 2013 15:32:41 -0800, TheRandomPast wrote:
> Hi,
>
> I have a school project to do where I've to download MD5 Hashes from a
> particular website and write a code that will crack them.

A school project. Right. Heh.

And which website's hashes would this be?

> Does anyone
> know where I'll find out more information on how to do this? There's
> only 4 hashes that I need to do so it doesn't have to be a large script
> just needs to be able to download the hashes from the website. Can
> anyone help me out?

The size of the script has nothing to do with the number of hashes you
have to crack. Whether it is one hash and one million, the script will be
exactly the same.

Do you have to write a program to download the hashes, or can you just
browse to the web address with your browser and save them?

On Tuesday, 26 November 2013 02:46:09 UTC, Frank Cui wrote:
> Hi,
>
>
> I'm assuming you are taking a computer/network security course.
>
> Md5 hashing operation is designed to be mathematically unidirectional, you can only attempt to find a collision situation but it's technically impossible to reverse the operation.
>
>
> With that said, it's possible to "crack" or "decrypt" a md5 hash value bysearching through a value-hash database to find the most commonly used password under a given hash value. You can see the tool at http://www.md5crack.com/home.
>
> Yatong
>
>
> > From:
> > Subject: Re: Cracking hashes with Python
> > Date: Tue, 26 Nov 2013 02:55:58 +0000
> > To:
> >
> > On Mon, 25 Nov 2013 15:32:41 -0800, TheRandomPast wrote:
> >
> > > Hi,
> > >
> > > I have a school project to do where I've to download MD5 Hashes from a
> > > particular website and write a code that will crack them.
> >
> > A school project. Right. Heh.
> >
> > And which website's hashes would this be?
> >
> >
> > > Does anyone
> > > know where I'll find out more information on how to do this? There's
> > > only 4 hashes that I need to do so it doesn't have to be a large script
> > > just needs to be able to download the hashes from the website. Can
> > > anyone help me out?
> >
> > The size of the script has nothing to do with the number of hashes you
> > have to crack. Whether it is one hash and one million, the script will be
> > exactly the same.
> >
> > Do you have to write a program to download the hashes, or can you just
> > browse to the web address with your browser and save them?
> >
> > If you have to write your own program, start here:
> >
> > https://duckduckgo.com/?q=python+how+to+download+data+from+the+web
> >
> >
> > --
> > Steven
> > --
> > https://mail.python.org/mailman/listinfo/python-list

Hi, Thanks for answering.

I have already created a script that downloads the hash values and prints them on my GUI, now I'm just struggling to figure out how to pass these values into the next part of my code to crack them.

and I've started the second part, the part to crack them. If anyone could tell me where I'd find more information on this subject and how to crack them that would be great. As I print them on screen I was thinking I could write a program that allows the md5 to be entered and then cracked.
>import hashlib
>def crackMD5Hash():
> md5Hash = raw_input('What is the Hash to be decrypted : ')

On Tue, Nov 26, 2013 at 9:30 PM, TheRandomPast <> wrote:
> and I've started the second part, the part to crack them. If anyone couldtell me where I'd find more information on this subject and how to crack them that would be great. As I print them on screen I was thinking I could write a program that allows the md5 to be entered and then cracked.

Okay. This is where the irreversible nature of hash functions comes
into play. You can't actually take the hash and go back to the
password; what you have to do is try lots of passwords and find one
that has the right hash.

Python has a data structure that lets you store keys and values, and
then see whether the key you're looking for is there. See if you can
use that.

Thanks. From what I've been able to find online I've created a dictionary
file with words and the words I know the hash values to be and I'm trying
to get it to use that however when I run this I get no errors but it
doesn't do anything, like ask me to input my hash value. Am i just being
stupid?
>import sys, re, hashlib
>def chklength(hashes):
> if len(hashes) != 32:
> print '[-] Improper length for md5 hash.'
> sys.exit(1)
>def dict_check():
> md5hashes = raw_input('\nPlease enter the Hash value to be decrypted:
')
> chklength(md5hashes)

On Tue, Nov 26, 2013 at 10:39 AM, Chris Angelico <> wrote:
> On Tue, Nov 26, 2013 at 9:30 PM, TheRandomPast <>
> wrote:
> > and I've started the second part, the part to crack them. If anyone
> could tell me where I'd find more information on this subject and how to
> crack them that would be great. As I print them on screen I was thinking I
> could write a program that allows the md5 to be entered and then cracked.
>
> Okay. This is where the irreversible nature of hash functions comes
> into play. You can't actually take the hash and go back to the
> password; what you have to do is try lots of passwords and find one
> that has the right hash.
>
> Python has a data structure that lets you store keys and values, and
> then see whether the key you're looking for is there. See if you can
> use that.
>
> ChrisA
> --
> https://mail.python.org/mailman/listinfo/python-list
>

On Tue, Nov 26, 2013 at 10:46 PM, TheRandomPast .
<> wrote:
> Thanks. From what I've been able to find online I've created a dictionary
> file with words and the words I know the hash values to be and I'm trying to
> get it to use that however when I run this I get no errors but it doesn't do
> anything, like ask me to input my hash value. Am i just being stupid?

The code you've pasted to us is a bit mangled. Can you try to post a
clean copy, please? No angle brackets in front of the lines, and
getting the indentation correct, because I think this might be your
problem:
>wordlist = open('C:\dictionary.txt', r)
>try:
> words = wordlist
>except(IOError):
> print "[-] Error: Check the path.\n"
>sys.exit(1)

The first part of the problem is that the sys.exit() call isn't
indented, so it's executed whether there's an exception thrown or not.

The second part of the problem is that you're catching an exception
only to emit a message and terminate. Don't. Just let the exception
happen; it'll... emit a message and terminate.

The third part of the problem is that you're bracketing the wrong part
of the code in the try/except. The simple assignment isn't going to
fail - the open call will. (Or maybe the readlines below it, but more
likely the open.)

So here's the fixed version of the above code:

words = open('C:/dictionary.txt', r)

Yep, it's really that simple. (Though there's another fragility in
what you had: the use of \d in a quoted string. It happens to have no
meaning, so it happens to work, but if you use "c:\textfile.txt",
you'll get quite the wrong result. You can double the backslash
"c:\\dictionary.txt", or you can use a raw string
r"c:\dictionary.txt", or you can use a forward slash, as I did above.)

See if that helps. If not, posting a clean copy of your current code
will help a lot.

On 2013-11-26 10:30, TheRandomPast wrote:
> and I've started the second part, the part to crack them. If anyone could tell me where I'd find more information on this subject and how to crack them that would be great.

What resources did your teacher give you? What have you been taught in class
about this subject?

--
Robert Kern

"I have come to believe that the whole world is an enigma, a harmless enigma
that is made terrible by our own mad attempt to interpret it as though it had
an underlying truth."
-- Umberto Eco

- Teacher has taught us nothing about MD5. This being the script he wanted
us to write came as a surprise to everyone but complaints about projects
are constantly ignored. This particular teacher is complained about for
this reason every year but nothing ever changes.

This is my code. I hope it looks better? I'm sorry if it doesn't. I'm
trying to get the hang of posting by email

print "\n",len(words),"words loaded…" (This line now throws up an error
where it wasn't before: TypeError: object of type 'file' has no len()
- I'm guessing this is because it's not picking up my file but I can't see
why it shouldn't?

On Tue, Nov 26, 2013 at 1:00 PM, Robert Kern <> wrote:
> On 2013-11-26 10:30, TheRandomPast wrote:
>
> and I've started the second part, the part to crack them. If anyone could
>> tell me where I'd find more information on this subject and how to crack
>> them that would be great.
>>
>
> What resources did your teacher give you? What have you been taught in
> class about this subject?
>
> --
> Robert Kern
>
> "I have come to believe that the whole world is an enigma, a harmless
> enigma
> that is made terrible by our own mad attempt to interpret it as though it
> had
> an underlying truth."
> -- Umberto Eco
>
> --
> https://mail.python.org/mailman/listinfo/python-list
>

On Wed, Nov 27, 2013 at 1:18 AM, TheRandomPast .
<> wrote:
> This is my code. I hope it looks better? I'm sorry if it doesn't. I'm trying
> to get the hang of posting by email

There are no BBCode tags here, so

Code (Text):

doesn't help you at all.
Other than that, looks good. Though if you're going to annotate your
code, please mark your comments with a hash; that way, we can simply
copy and paste your code and run it, which is a huge help. (In this
case, I can see what's going on without running it, but that's not
always true. Sometimes my crystal ball is faulty.)
[color=blue]
> wordlist = open('C:/dictionary.txt')
> try:
> words = wordlist
> except(IOError):
> print "[-] Error: Check your path.\n"
> sys.exit(1)[/color]

This now is functional but completely useless. You can drop this whole
block of code.
[color=blue]
> words = open('C:/dictionary.txt')
> print "\n",len(words),"words loaded…" (This line now throws up an error
> where it wasn't before: TypeError: object of type 'file' has no len()[/color]

The problem is that you've left out the readlines() call, so you now
aren't looking at a list, you're looking at the file object itself.
But take heart! A file object is iterable, so as long as you don't
mind losing this line of status display, it'll all work.
[color=blue]
> for word in words:
> hash = hashlib.md5(word[:-1])
> value = hash.hexdigest()[/color]

This is all very well, but you actually don't do anything with the
hash and the value. Tip: This would be a good place to stash them all
somewhere so you can look them up quickly.

Side point: You're currently assuming that each word you get is
terminated by exactly a single newline. It'd be clearer to, instead of
slicing off the last character with the smiley [:-1] (not sure what
that represents - maybe he has a pen lid sticking out of his mouth?),
try stripping off whitespace. Strings have a method that'll do that
for you.
[color=blue]
> if hashes == value:
> print "[+] Password is:"+word,"\n"
> sys.exit(0)[/color]

This is where you'd look up in what you've stashed, except that at no
point before this do you query the user for the hash to look up.

I recommend you think in terms of an initialization phase, and then a
loop in which you ask the user for input. That would be the most
normal way to do things. As it is, there's no loop, so having an
"exit" option is actually fairly useless.

By the way, are you also learning about Python 3, or are you
exclusively studying Python 2? Python 2 is now a dead end; no new
features are being added to it, and it's to be supported with some bug
fixes for a while, and then security patches only after that;
meanwhile, Python 3 just keeps on getting better. We're now able to
play with a beta of 3.4 that adds a bunch of fun stuff above 3.3
(which added a veritable ton of awesomeness over 3.2), and there are
features slated for 3.5 after that. Even if your course is teaching
only the old version, it'd be good for you, as a programmer, to
explore the differences in the new version; the sooner you get your
head around the difference between Unicode strings and collections of
bytes, the easier your life will be, and Py3 makes that distinction a
lot clearer than Py2 did.

doesn't help you at all.
> Other than that, looks good. Though if you're going to annotate your
> code, please mark your comments with a hash; that way, we can simply
> copy and paste your code and run it, which is a huge help. (In this
> case, I can see what's going on without running it, but that's not
> always true. Sometimes my crystal ball is faulty.)
>[color=green]
> > wordlist = open('C:/dictionary.txt')
> > try:
> > words = wordlist
> > except(IOError):
> > print "[-] Error: Check your path.\n"
> > sys.exit(1)[/color]
>
> This now is functional but completely useless. You can drop this whole
> block of code.
>[color=green]
> > words = open('C:/dictionary.txt')
> > print "\n",len(words),"words loaded…" (This line now throws up an error
> > where it wasn't before: TypeError: object of type 'file' has no len()[/color]
>
> The problem is that you've left out the readlines() call, so you now
> aren't looking at a list, you're looking at the file object itself.
> But take heart! A file object is iterable, so as long as you don't
> mind losing this line of status display, it'll all work.
>[color=green]
> > for word in words:
> > hash = hashlib.md5(word[:-1])
> > value = hash.hexdigest()[/color]
>
> This is all very well, but you actually don't do anything with the
> hash and the value. Tip: This would be a good place to stash them all
> somewhere so you can look them up quickly.
>
> Side point: You're currently assuming that each word you get is
> terminated by exactly a single newline. It'd be clearer to, instead of
> slicing off the last character with the smiley [:-1] (not sure what
> that represents - maybe he has a pen lid sticking out of his mouth?),
> try stripping off whitespace. Strings have a method that'll do that
> for you.
>[color=green]
> > if hashes == value:
> > print "[+] Password is:"+word,"\n"
> > sys.exit(0)[/color]
>
> This is where you'd look up in what you've stashed, except that at no
> point before this do you query the user for the hash to look up.
>
> I recommend you think in terms of an initialization phase, and then a
> loop in which you ask the user for input. That would be the most
> normal way to do things. As it is, there's no loop, so having an
> "exit" option is actually fairly useless.
>
> By the way, are you also learning about Python 3, or are you
> exclusively studying Python 2? Python 2 is now a dead end; no new
> features are being added to it, and it's to be supported with some bug
> fixes for a while, and then security patches only after that;
> meanwhile, Python 3 just keeps on getting better. We're now able to
> play with a beta of 3.4 that adds a bunch of fun stuff above 3.3
> (which added a veritable ton of awesomeness over 3.2), and there are
> features slated for 3.5 after that. Even if your course is teaching
> only the old version, it'd be good for you, as a programmer, to
> explore the differences in the new version; the sooner you get your
> head around the difference between Unicode strings and collections of
> bytes, the easier your life will be, and Py3 makes that distinction a
> lot clearer than Py2 did.
>
> ChrisA
> --
> https://mail.python.org/mailman/listinfo/python-list
>[/color]

Algorithms for cracking md5 hashes is not a python topic, but rather a
cryptography topic. When you find an algorithm to use, then if you have
trouble converting it into code we may be able to help with that bit.

On Tue, 26 Nov 2013 14:18:33 +0000, TheRandomPast . wrote:
> - Teacher has taught us nothing about MD5. This being the script he
> wanted us to write came as a surprise to everyone but complaints about
> projects are constantly ignored. This particular teacher is complained
> about for this reason every year but nothing ever changes.

ok .... forget about python for a minute.

write down the steps you need to follow to solve the problem in plain
english.

1) Get the list of hashes from a website
2) Brute force the hashes using a dictionary

But 2 needs a dictionary:

1) Load a dictionary
2) Get the list of hashes from a website
3) Brute force the hashes using a dictionary

So you need a function to load the dictionary (from a local file?), a
function to get the list of hashes, a function to try and brute force a
hash using the dictionary, and some logic to tie it all together.

global data: list of words, list of hashes

load_dictionary ( file )
read the words from the file

get_hashes( url )
read the hashes from the url

brute_force()
do every hash in hashes
do every word in words
if md5( word ) is hash
solved this hash!

Surely that should have been "drives for cover" I guess I'll play on ...

Before I go look it up, I'm guessing that the etymology of "stumped" is
actually coming from the problem of a plough getting stuck on a stump (i.e.
can't progress any further). Not much of an issue anymore since the
invention of the stump-jump plough:https://en.wikipedia.org/wiki/Stump-jump_plough

(Looked it up, my guess is considered the most likely origin of the term).

On Wed, Nov 27, 2013 at 1:55 PM, Tim Delaney
<> wrote:
> Before I go look it up, I'm guessing that the etymology of "stumped" is
> actually coming from the problem of a plough getting stuck on a stump (i.e.
> can't progress any further). Not much of an issue anymore since the
> invention of the stump-jump plough:
> https://en.wikipedia.org/wiki/Stump-jump_plough
>

Australian inventiveness! We were too lazy to dig out the stumps
before ploughing, so we came up with a solution.

And dictionary is working, as is the brute force however the issue I have
having is with my chklength() as no matter how many characters I input it
skips the !=32 and goes straight to asking the user to chose either Brute
Force or Dictionary. I want an error to be shown if the hash is less than
or more than 32 characters but at present this chklength() doesn't work as
I thought it would.

Can anyone point out an obvious error that I am missing?

On Wed, Nov 27, 2013 at 2:58 AM, Chris Angelico <> wrote:
> On Wed, Nov 27, 2013 at 1:55 PM, Tim Delaney
> <> wrote:
> > Before I go look it up, I'm guessing that the etymology of "stumped" is
> > actually coming from the problem of a plough getting stuck on a stump
> (i.e.
> > can't progress any further). Not much of an issue anymore since the
> > invention of the stump-jump plough:
> > https://en.wikipedia.org/wiki/Stump-jump_plough
> >
>
> Australian inventiveness! We were too lazy to dig out the stumps
> before ploughing, so we came up with a solution.
>
> ChrisA
> --
> https://mail.python.org/mailman/listinfo/python-list
>

Share This Page

Welcome to The Coding Forums!

Welcome to the Coding Forums, the place to chat about anything related to programming and coding languages.

Please join our friendly community by clicking the button below - it only takes a few seconds and is totally free. You'll be able to ask questions about coding or chat with the community and help others.
Sign up now!